Arla 0.35.10 pre4 builds on OSX 10.2
Alexandra Ellwood
lxs at mit.edu
Thu Sep 26 18:01:07 CEST 2002
>> > kalog requires tf_init, which isn't in MIT kerberos.
>
>The tf_* functions are not supported by Kerberos for Macintosh
>because they are nearly impossible to implement on top of the CCAPI
>v3 in a way that doesn't break at least some callers. If you need
>to be able to access the ticket cache directly on KfM, you should
>call directly into the CCAPI.
>
>However, if your site is krb5 and is running krb524, you probably
>just want to get the krb5 tickets via the krb5 ccache calls and call
>krb524_convert_creds_kdc to get a krb4 CREDENTIALS structure from
>your krb5 tickets.
After talking to Assar, I realize that I was confused about what
kalog does. Kalog wants the tf_* functions to write out the krb4
ticket it receives from the kaserver.
The correct thing to do is to reimplement this behavior in terms of
the CCAPI. This is not hard. You want to iterate over the ccaches
looking for a ccache with the same principal as the one you just got
a TGT for. If you find one, write the creds there, otherwise create
a new ccache and write the creds to the new ccache.
You can find documentation for the CCAPI here:
<http://web.mit.edu/macdev/Development/MITKerberos/MITKerberosLib/CCacheLib/Documentation/ccache-api-v3.html>
Alternatively, you can just discard the tickets you got from the
kaserver. KfM automatically acquires v4 tickets with the same
password used to get v5 tickets using either krb524 or the v4
protocol. So in mixed realms, KfM will most likely have already
gotten v4 tickets for you. Although in those realms perhaps the
right solution is aklog?
Hope this helps,
--lxs
--
-----------------------------------------------------------------------------
Alexandra Ellwood <lxs at mit.edu>
MIT Information Systems http://mit.edu/lxs/www/
-----------------------------------------------------------------------------
--
More information about the Arla-drinkers
mailing list